<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    
    <title>Django 1.6.6 release notes &mdash; Django 1.7.8.dev20150401230226 documentation</title>
    
    <link rel="stylesheet" href="../_static/default.css" type="text/css" />
    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
    
    <script type="text/javascript">
      var DOCUMENTATION_OPTIONS = {
        URL_ROOT:    '../',
        VERSION:     '1.7.8.dev20150401230226',
        COLLAPSE_INDEX: false,
        FILE_SUFFIX: '.html',
        HAS_SOURCE:  true
      };
    </script>
    <script type="text/javascript" src="../_static/jquery.js"></script>
    <script type="text/javascript" src="../_static/underscore.js"></script>
    <script type="text/javascript" src="../_static/doctools.js"></script>
    <link rel="top" title="Django 1.7.8.dev20150401230226 documentation" href="../index.html" />
    <link rel="up" title="Release notes" href="index.html" />
    <link rel="next" title="Django 1.6.5 release notes" href="1.6.5.html" />
    <link rel="prev" title="Django 1.6.7 release notes" href="1.6.7.html" />



 
<script type="text/javascript" src="../templatebuiltins.js"></script>
<script type="text/javascript">
(function($) {
    if (!django_template_builtins) {
       // templatebuiltins.js missing, do nothing.
       return;
    }
    $(document).ready(function() {
        // Hyperlink Django template tags and filters
        var base = "../ref/templates/builtins.html";
        if (base == "#") {
            // Special case for builtins.html itself
            base = "";
        }
        // Tags are keywords, class '.k'
        $("div.highlight\\-html\\+django span.k").each(function(i, elem) {
             var tagname = $(elem).text();
             if ($.inArray(tagname, django_template_builtins.ttags) != -1) {
                 var fragment = tagname.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>");
             }
        });
        // Filters are functions, class '.nf'
        $("div.highlight\\-html\\+django span.nf").each(function(i, elem) {
             var filtername = $(elem).text();
             if ($.inArray(filtername, django_template_builtins.tfilters) != -1) {
                 var fragment = filtername.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>");
             }
        });
    });
})(jQuery);
</script>


  </head>
  <body>

    <div class="document">
  <div id="custom-doc" class="yui-t6">
    <div id="hd">
      <h1><a href="../index.html">Django 1.7.8.dev20150401230226 documentation</a></h1>
      <div id="global-nav">
        <a title="Home page" href="../index.html">Home</a>  |
        <a title="Table of contents" href="../contents.html">Table of contents</a>  |
        <a title="Global index" href="../genindex.html">Index</a>  |
        <a title="Module index" href="../py-modindex.html">Modules</a>
      </div>
      <div class="nav">
    &laquo; <a href="1.6.7.html" title="Django 1.6.7 release notes">previous</a>
     |
    <a href="index.html" title="Release notes" accesskey="U">up</a>
   |
    <a href="1.6.5.html" title="Django 1.6.5 release notes">next</a> &raquo;</div>
    </div>

    <div id="bd">
      <div id="yui-main">
        <div class="yui-b">
          <div class="yui-g" id="releases-1.6.6">
            
  <div class="section" id="s-django-1-6-6-release-notes">
<span id="django-1-6-6-release-notes"></span><h1>Django 1.6.6 release notes<a class="headerlink" href="#django-1-6-6-release-notes" title="Permalink to this headline">¶</a></h1>
<p><em>August 20, 2014</em></p>
<p>Django 1.6.6 fixes several security issues and bugs in 1.6.5.</p>
<div class="section" id="s-reverse-could-generate-urls-pointing-to-other-hosts">
<span id="reverse-could-generate-urls-pointing-to-other-hosts"></span><h2><a class="reference internal" href="../ref/urlresolvers.html#django.core.urlresolvers.reverse" title="django.core.urlresolvers.reverse"><tt class="xref py py-func docutils literal"><span class="pre">reverse()</span></tt></a> could generate URLs pointing to other hosts<a class="headerlink" href="#reverse-could-generate-urls-pointing-to-other-hosts" title="Permalink to this headline">¶</a></h2>
<p>In certain situations, URL reversing could generate scheme-relative URLs  (URLs
starting with two slashes), which could unexpectedly redirect a user  to a
different host. An attacker could exploit this, for example, by redirecting
users to a phishing site designed to ask for user&#8217;s passwords.</p>
<p>To remedy this, URL reversing now ensures that no URL starts with two slashes
(//), replacing the second slash with its URL encoded counterpart (%2F). This
approach ensures that semantics stay the same, while making the URL relative to
the domain and not to the scheme.</p>
</div>
<div class="section" id="s-file-upload-denial-of-service">
<span id="file-upload-denial-of-service"></span><h2>File upload denial-of-service<a class="headerlink" href="#file-upload-denial-of-service" title="Permalink to this headline">¶</a></h2>
<p>Before this release, Django&#8217;s file upload handing in its default configuration
may degrade to producing a huge number of <tt class="docutils literal"><span class="pre">os.stat()</span></tt> system calls when a
duplicate filename is uploaded. Since <tt class="docutils literal"><span class="pre">stat()</span></tt> may invoke IO, this may produce
a huge data-dependent slowdown that slowly worsens over time. The net result is
that given enough time, a user with the ability to upload files can cause poor
performance in the upload handler, eventually causing it to become very slow
simply by uploading 0-byte files. At this point, even a slow network connection
and few HTTP requests would be all that is necessary to make a site unavailable.</p>
<p>We&#8217;ve remedied the issue by changing the algorithm for generating file names
if a file with the uploaded name already exists.
<a class="reference internal" href="../ref/files/storage.html#django.core.files.storage.Storage.get_available_name" title="django.core.files.storage.Storage.get_available_name"><tt class="xref py py-meth docutils literal"><span class="pre">Storage.get_available_name()</span></tt></a> now appends an
underscore plus a random 7 character alphanumeric string (e.g. <tt class="docutils literal"><span class="pre">&quot;_x3a1gho&quot;</span></tt>),
rather than iterating through an underscore followed by a number (e.g. <tt class="docutils literal"><span class="pre">&quot;_1&quot;</span></tt>,
<tt class="docutils literal"><span class="pre">&quot;_2&quot;</span></tt>, etc.).</p>
</div>
<div class="section" id="s-remoteusermiddleware-session-hijacking">
<span id="remoteusermiddleware-session-hijacking"></span><h2><tt class="docutils literal"><span class="pre">RemoteUserMiddleware</span></tt> session hijacking<a class="headerlink" href="#remoteusermiddleware-session-hijacking" title="Permalink to this headline">¶</a></h2>
<p>When using the <a class="reference internal" href="../ref/middleware.html#django.contrib.auth.middleware.RemoteUserMiddleware" title="django.contrib.auth.middleware.RemoteUserMiddleware"><tt class="xref py py-class docutils literal"><span class="pre">RemoteUserMiddleware</span></tt></a>
and the <tt class="docutils literal"><span class="pre">RemoteUserBackend</span></tt>, a change to the <tt class="docutils literal"><span class="pre">REMOTE_USER</span></tt> header between
requests without an intervening logout could result in the prior user&#8217;s session
being co-opted by the subsequent user. The middleware now logs the user out on
a failed login attempt.</p>
</div>
<div class="section" id="s-data-leakage-via-query-string-manipulation-in-contrib-admin">
<span id="data-leakage-via-query-string-manipulation-in-contrib-admin"></span><h2>Data leakage via query string manipulation in <tt class="docutils literal"><span class="pre">contrib.admin</span></tt><a class="headerlink" href="#data-leakage-via-query-string-manipulation-in-contrib-admin" title="Permalink to this headline">¶</a></h2>
<p>In older versions of Django it was possible to reveal any field&#8217;s data by
modifying the &#8220;popup&#8221; and &#8220;to_field&#8221; parameters of the query string on an admin
change form page. For example, requesting a URL like
<tt class="docutils literal"><span class="pre">/admin/auth/user/?_popup=1&amp;t=password</span></tt> and viewing the page&#8217;s HTML allowed
viewing the password hash of each user. While the admin requires users to have
permissions to view the change form pages in the first place, this could leak
data if you rely on users having access to view only certain fields on a model.</p>
<p>To address the issue, an exception will now be raised if a <tt class="docutils literal"><span class="pre">to_field</span></tt> value
that isn&#8217;t a related field to a model that has been registered with the admin
is specified.</p>
</div>
<div class="section" id="s-bugfixes">
<span id="bugfixes"></span><h2>Bugfixes<a class="headerlink" href="#bugfixes" title="Permalink to this headline">¶</a></h2>
<ul class="simple">
<li>Corrected email and URL validation to reject a trailing dash
(<a class="reference external" href="https://code.djangoproject.com/ticket/22579">#22579</a>).</li>
<li>Prevented indexes on PostgreSQL virtual fields (<a class="reference external" href="https://code.djangoproject.com/ticket/22514">#22514</a>).</li>
<li>Prevented edge case where values of FK fields could be initialized with a
wrong value when an inline model formset is created for a relationship
defined to point to a field other than the PK (<a class="reference external" href="https://code.djangoproject.com/ticket/13794">#13794</a>).</li>
<li>Restored <tt class="docutils literal"><span class="pre">pre_delete</span></tt>  signals for <tt class="docutils literal"><span class="pre">GenericRelation</span></tt> cascade deletion
(<a class="reference external" href="https://code.djangoproject.com/ticket/22998">#22998</a>).</li>
<li>Fixed transaction handling when specifying non-default database in
<tt class="docutils literal"><span class="pre">createcachetable</span></tt> and <tt class="docutils literal"><span class="pre">flush</span></tt> (<a class="reference external" href="https://code.djangoproject.com/ticket/23089">#23089</a>).</li>
<li>Fixed the &#8220;ORA-01843: not a valid month&#8221; errors when using Unicode
with older versions of Oracle server (<a class="reference external" href="https://code.djangoproject.com/ticket/20292">#20292</a>).</li>
<li>Restored bug fix for sending unicode email with Python 2.6.5 and below
(<a class="reference external" href="https://code.djangoproject.com/ticket/19107">#19107</a>).</li>
<li>Prevented <tt class="docutils literal"><span class="pre">UnicodeDecodeError</span></tt> in <tt class="docutils literal"><span class="pre">runserver</span></tt> with non-UTF-8 and
non-English locale (<a class="reference external" href="https://code.djangoproject.com/ticket/23265">#23265</a>).</li>
<li>Fixed JavaScript errors while editing multi-geometry objects in the OpenLayers
widget (<a class="reference external" href="https://code.djangoproject.com/ticket/23137">#23137</a>, <a class="reference external" href="https://code.djangoproject.com/ticket/23293">#23293</a>).</li>
<li>Prevented a crash on Python 3 with query strings containing unencoded
non-ASCII characters (<a class="reference external" href="https://code.djangoproject.com/ticket/22996">#22996</a>).</li>
</ul>
</div>
</div>


          </div>
        </div>
      </div>
      
        
          <div class="yui-b" id="sidebar">
            
      <div class="sphinxsidebar">
        <div class="sphinxsidebarwrapper">
  <h3><a href="../contents.html">Table Of Contents</a></h3>
  <ul>
<li><a class="reference internal" href="#">Django 1.6.6 release notes</a><ul>
<li><a class="reference internal" href="#reverse-could-generate-urls-pointing-to-other-hosts"><tt class="docutils literal"><span class="pre">reverse()</span></tt> could generate URLs pointing to other hosts</a></li>
<li><a class="reference internal" href="#file-upload-denial-of-service">File upload denial-of-service</a></li>
<li><a class="reference internal" href="#remoteusermiddleware-session-hijacking"><tt class="docutils literal"><span class="pre">RemoteUserMiddleware</span></tt> session hijacking</a></li>
<li><a class="reference internal" href="#data-leakage-via-query-string-manipulation-in-contrib-admin">Data leakage via query string manipulation in <tt class="docutils literal"><span class="pre">contrib.admin</span></tt></a></li>
<li><a class="reference internal" href="#bugfixes">Bugfixes</a></li>
</ul>
</li>
</ul>

  <h3>Browse</h3>
  <ul>
    
      <li>Prev: <a href="1.6.7.html">Django 1.6.7 release notes</a></li>
    
    
      <li>Next: <a href="1.6.5.html">Django 1.6.5 release notes</a></li>
    
  </ul>
  <h3>You are here:</h3>
  <ul>
      <li>
        <a href="../index.html">Django 1.7.8.dev20150401230226 documentation</a>
        
          <ul><li><a href="index.html">Release notes</a>
        
        <ul><li>Django 1.6.6 release notes</li></ul>
        </li></ul>
      </li>
  </ul>

  <h3>This Page</h3>
  <ul class="this-page-menu">
    <li><a href="../_sources/releases/1.6.6.txt"
           rel="nofollow">Show Source</a></li>
  </ul>
<div id="searchbox" style="display: none">
  <h3>Quick search</h3>
    <form class="search" action="../search.html" method="get">
      <input type="text" name="q" />
      <input type="submit" value="Go" />
      <input type="hidden" name="check_keywords" value="yes" />
      <input type="hidden" name="area" value="default" />
    </form>
    <p class="searchtip" style="font-size: 90%">
    Enter search terms or a module, class or function name.
    </p>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
        </div>
      </div>
              <h3>Last update:</h3>
              <p class="topless">Apr 02, 2015</p>
          </div>
        
      
    </div>

    <div id="ft">
      <div class="nav">
    &laquo; <a href="1.6.7.html" title="Django 1.6.7 release notes">previous</a>
     |
    <a href="index.html" title="Release notes" accesskey="U">up</a>
   |
    <a href="1.6.5.html" title="Django 1.6.5 release notes">next</a> &raquo;</div>
    </div>
  </div>

      <div class="clearer"></div>
    </div>
  </body>
</html>